Fail2ban Ignoreip=

[Andrew Byrd]

When I am entering ip addresses in the fail2ban ignore field, it tends to get long. I am separating each one with a space

So far I am doing this:

127.0.0.1/8 52.68.36.21 25.36.32.65 21.25.23.36

Can I do this instead?

127.0.0.1/8
52.68.36.21
25.36.32.65
21.25.23.36

Just trying to figure a better way to shorten the long string

***These are made up IP's above for example purposes only

 

[KonradSC]

Yes. That is how I list them.

 

[DigitalDaz]

You learn something new every day, I didn't know you could do this

 

[Andrew Byrd]

Well, I tried it and got an error code when saving


# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
73.207.0.0/16
69.194.0.0/16
24.131.0.0/16
24.75.0.0/16
66.44.0.0/16
96.91.134.77
96.91.0.0/16
174.49.0.0/16
207.89.0.0/16
52.41.52.34
52.8.201.128
52.60.138.31
50.17.48.216
34.209.216.231
52.8.194.208
34.200.114.108
52.14.37.123
64.136.174.30
64.136.173.22
209.166.128.200
192.240.151.100

Then I tried to restart Fail2ban

root@468AC01:~# service fail2ban restart
Job for fail2ban.service failed because the control process exited with error code.
See "systemctl status fail2ban.service" and "journalctl -xe" for details.
root@468AC01:~#

So I went to they systemctl status ... like it says above ...... and this is what it says

Jul 15 21:34:57 468AC01 systemd[1]: fail2ban.service: Unit entered failed state.
Jul 15 21:34:57 468AC01 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Jul 15 21:35:01 468AC01 CRON[7194]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 15 21:35:01 468AC01 CRON[7195]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jul 15 21:35:01 468AC01 CRON[7194]: pam_unix(cron:session): session closed for user root
Jul 15 21:35:11 468AC01 sshd[7197]: Invalid user demo from 41.204.191.53 port 58410
Jul 15 21:35:11 468AC01 sshd[7197]: input_userauth_request: invalid user demo [preauth]
Jul 15 21:35:11 468AC01 sshd[7197]: pam_unix(sshd:auth): check pass; user unknown
Jul 15 21:35:11 468AC01 sshd[7197]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Jul 15 21:35:13 468AC01 sshd[7197]: Failed password for invalid user demo from 41.204.191.53 port 58410 ssh2
Jul 15 21:35:13 468AC01 sshd[7197]: Received disconnect from 41.204.191.53 port 58410:11: Bye Bye [preauth]
Jul 15 21:35:13 468AC01 sshd[7197]: Disconnected from 41.204.191.53 port 58410 [preauth]
Jul 15 21:35:18 468AC01 snmpd[706]: error on subcontainer 'ia_addr' insert (-1)
Jul 15 21:35:41 468AC01 sshd[7208]: Invalid user frappe from 113.90.95.180 port 25549
Jul 15 21:35:41 468AC01 sshd[7208]: input_userauth_request: invalid user frappe [preauth]
Jul 15 21:35:41 468AC01 sshd[7208]: pam_unix(sshd:auth): check pass; user unknown
Jul 15 21:35:41 468AC01 sshd[7208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Jul 15 21:35:43 468AC01 sshd[7208]: Failed password for invalid user frappe from 113.90.95.180 port 25549 ssh2
Jul 15 21:35:43 468AC01 sshd[7208]: Received disconnect from 113.90.95.180 port 25549:11: Bye Bye [preauth]
Jul 15 21:35:43 468AC01 sshd[7208]: Disconnected from 113.90.95.180 port 25549 [preauth]
Jul 15 21:35:47 468AC01 dhclient[1589]: XMT: Solicit on eth0, interval 117460ms.
Jul 15 21:35:47 468AC01 dhclient[1589]: RCV: Advertise message on eth0 from fe80::250:56ff:fe89:5288.
Jul 15 21:35:47 468AC01 dhclient[1589]: RCV: Advertise message on eth0 from fe80::250:56ff:fe89:53e2.
Jul 15 21:35:48 468AC01 snmpd[706]: error on subcontainer 'ia_addr' insert (-1)



Any ideas what I did wrong here?

 

[Andrew Byrd]

You ever heard of "Choose your battles?"

I just put it back and this works fine

127.0.0.1/8 52.68.36.21 25.36.32.65 21.25.23.36

 

[JamesBorne]

Documentation states a CIDR will work in a space separated list.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
                                                                         
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8

Source: https://www.fail2ban.org/wiki/index.php/Whitelist

 

[vespaman]

Andrew Byrd just as a matter of interest does the comma work ?

ignoreip = 127.0.0.1/8,
73.207.0.0/16,
69.194.0.0/16,
24.131.0.0/16,

 

[Andrew Byrd]

No I tried the comma - no go

 

[JamesBorne]

Out of curiosity, what version does this give you?
sudo fail2ban-server -V

 

[Andrew Byrd]

Fail2Ban v0.9.6

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

 

[JamesBorne]

Same version as @Andrew Byrd (Fail2Ban v0.9.6), couldn't get it to accept multi-line.
Would like to know what version @KonradSC is on!

 

[KonradSC]

You need a space in there and not just a carriage return.

ignoreip = 127.0.0.1
10.10.10.10
1.1.1.1

 

[KonradSC]

ignoreip = 127.0.0.1
(space)10.10.10.10
1.1.1.1

 

[JamesBorne]

Thanks @KonradSC, that worked.
New line works so long as there is a space at the start of each new line.